17 April 2017

Alienvault: Deploying a virtual SIEM

Last
week, we see how to deploy
a virtual firewall in VMware
infrastructure to test new features and learning about FortiOS 5.4.
However, this method of deploying virtual machines into VMware
infrastructure is also a good way to learn how other products work,
such as load
balancers, routers, switches, SIEM,
etc. Therefore, this time, we are going to see how to deploy
Alienvault USM Appliance, which can be useful to compare with the
free Alienvault OSSIM. In addition, we'll see the commercial edition
has more security directives than the free edition, even for
detecting last Apache
Struts attacks.

The first
step is to register for downloading the USM Appliance
(On-Premises) Free Trial to deploy into our virtual
infrastructure. We shouldn't confuse it with USM Anywhere (In the
Cloud), which is a another product where the intelligence, events
and information is in the cloud, and we only have to deploy sensors
throughout the organization.

Next, I
have deployed the OVF template called
VMWARE-AlienVault_USM_All-in-One_5.3.6.ova as a new virtual
machine into VMware infrastructure. We'll realise that USM Appliance
needs a lot of resources; 8 CPU, 16 GB RAM and 1 TB of disk.

Alienvault USM Appliance

Once the
virtual SIEM is imported into VMware, there will be some basic
configuration like IP address for management and DNS, which have to
be done through a wizard from console. Since then, everything is done
from web interface.

Nevertheless,
Alienvault has Quick Start Guide and Deployment Guide to help us
deploy and configure their appliances in an easy way.

Alienvault Deployment Guide

If
we are going to test, for instance, last
security directives like the recently Apache
Struts Vulnerability, we would have
to upgrade the Threat Intelligence signatures, which is not possible
from Free Trial. If we want to have USM Free Trial updated, we have
to download security directives from commercial version and imported
into USM Free Trial.

Correlation Directives

We
are on time to create threat intelligence
policies. I have created a new policy for alerting by email when
something goes wrong like traffic scan, web attacks, malware
infection, etc. What's more, we can also configure to execute an
external program when something wrong is happening.

USM Policies

It's
time to attack and check if USM is
detecting malicious activity or we are bypassing security
protections. This can be done watching
security events and alarms.

Apache Struts Alarms

Regards my
friends and remember, play and test with your toys to know how they
work.